Terraform Auth0 - Authorizing M2M App for Resource Server

I’m an avid Terraform/Auth0 user, and I’m wondering if it’s feasible to authorize a resource server for a machine-to-machine (M2M) application using Terraform instead of the Auth0 dashboard. I’ve found success with Terraform in managing Auth0 tasks, but this specific scenario has me stumped.

Could you provide insight on whether this can be achieved programmatically through Terraform? Any pointers or documentation references would be incredibly helpful. I’m keen on automating this process to enhance our workflow.

Thanks for your time!

1 Like

Hi mohamed

Yes, I can help you with this as we have just completed such a scenario.

Before I post a solution, please can you confirm which version of the Auth0 Terraform provider are you using.

https://registry.terraform.io/providers/auth0/auth0/latest/docs

Kind regards

Richard

hi Richard,
I’m currently using the 1.0.0-beta.1 version.

Hi Mohamed.

I will assume you have already created and Auth0 M2M Application for your Terraforming, and assigned the Auth0 Management API to the application. I will call this application the Terraform Client Application.

In your project, create an auth0.tf file. In the following code snippet, I have created an authorisation api and two service applications, that both have the audience set to the identifier of the authorisation api.

In the provider section, the domain is your environment tenant domain. If you have enabled custom domains, you must use the original auth0 domain and not your custom domain. The client_id and client_secret are the details of the Terraform Client Application I have mentioned above.

In the resource auth0_resource_server section you will need to add your domain. In fact the identifier can be any valid URL structure. The domain does not have to exist, as this field is only used as a unique identifier.

In the resource auth0_resource_server_scopes section, you can add as many scopes as you like. In this example, I’ve added the update:customer scope.

In the resource auth0_client_grant sections, you control which scopes the application is allowed to ‘give out’ when the service requests and access token.

provider “auth0” {
domain = “<your_tenant_domain>”
client_id = “<terroraform_client_application_client_id>”
client_secret = “<terroraform_client_application_client_id>”
}

################ Set Up Authorisation API
resource “auth0_resource_server” “service_scopes_api” {
name = “service-scopes-api”
identifier = “https://service-scopes-api.<your_domain>.com/”
}

############### Set Up Authorisation API Scopes
resource “auth0_resource_server_scopes” “service_scopes_api_scopes” {
resource_server_identifier = auth0_resource_server.service_scopes_api.identifier

scopes {
value = “read:customer”
description = “Read Customer data”
}

scopes {
value = “update:customer”
description = “Update Customer data”
}

scopes {
value = “read:address”
description = “Read Address data”
}
}

################ Set Up Customer Service
resource “auth0_client” “customer_service” {
name = “customer-service”
app_type = “non_interactive”
grant_types = [“client_credentials”]
description = “Application for customer service authorisation”
jwt_configuration {
lifetime_in_seconds = 86400
alg = “RS256”
}
}

############## Set Up Expected Scopes Of The Customer Service
resource “auth0_client_grant” “customer_service_grant” {
client_id = auth0_client.customer_service.id
audience = auth0_resource_server.service_scopes_api.identifier
scope = [“read:customer”]
}

################ Set Up Address Service
resource “auth0_client” “address_service” {
name = “address-service”
app_type = “non_interactive”
grant_types = [“client_credentials”]
description = “Application for address service authorisation”
jwt_configuration {
lifetime_in_seconds = 86400
alg = “RS256”
}
}

############## Set Up Expected Scopes Of The Address Service
resource “auth0_client_grant” “address_service_grant” {
client_id = auth0_client.address_service.id
audience = auth0_resource_server.service_scopes_api.identifier
scope = [“read:address”]
}

Once you have created your resources, you can test the api and applications by using Postman or Curl.

curl --location ‘https:///oauth/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘client_id=<client_id_of_customer_service>’
–data-urlencode ‘client_secret=<client_secret_of_customer_service’
–data-urlencode ‘audience=https://service-scopes-api.<your_domain>.com/’
–data-urlencode ‘grant_type=client_credentials’

curl --location ‘https:///oauth/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘client_id=<client_id_of_address_service>’
–data-urlencode ‘client_secret=<client_secret_of_address_service’
–data-urlencode ‘audience=https://service-scopes-api.<your_domain>.com/’
–data-urlencode ‘grant_type=client_credentials’

Give me a shout if you need for guidance

Kind regards

Richard

Hey there everyone! :wave:t3:

I thought I’m gonna chime in again with something that might be of your interest! We’re hosting an Ask Me Anything Session in our Forum regarding Auth0 Terraform Provider.

It’s gonna be on Thursday, September 28, 2023. Check out more info about it here!